Read on Twitter
Let’s talk about security hardening.
Sometimes less, is more. And sometimes the more you add, the more dangerous your network becomes.
Thread:
Sometimes less, is more. And sometimes the more you add, the more dangerous your network becomes.
Thread:
There is a difference between doing things, and doing your job. Security for deeply mature technologies is intricate judgement.
All jobs are judgement – otherwise you’d be an Excel macro, Benihana chefs would be robots, and tree stump grinders would operate on autopilot.
All jobs are judgement – otherwise you’d be an Excel macro, Benihana chefs would be robots, and tree stump grinders would operate on autopilot.
Security hardening is not configuring a computer, it is changing the implicit contract by which it operates. How it interacts in a larger system.
It is ex post facto law. Things that were *technically permissible and functional* during development are now retroactively illegal.
It is ex post facto law. Things that were *technically permissible and functional* during development are now retroactively illegal.
Many of those things should have been illegal, and should be illegal now.
Ex post facto laws are not fair, which is why they’re ~mostly~ invalid.
But security changes to software platforms must almost always apply to things from the past, because they now operate in the present
Ex post facto laws are not fair, which is why they’re ~mostly~ invalid.
But security changes to software platforms must almost always apply to things from the past, because they now operate in the present
Security hardening is a good thing and required in technologies that go back decades, like Windows.
But you have to have enormous humility in doing it. You have to know what you’re going to convict. Software is rarely coded to do actions on a whim. You are changing the contract.
But you have to have enormous humility in doing it. You have to know what you’re going to convict. Software is rarely coded to do actions on a whim. You are changing the contract.
Even authored by experts, security hardening baselines are not infallible documents applicable to every situation.
The Microsoft baselines for Windows are now incredibly mature, shutting off the dangerous features almost universally without any impact.
That took a decade of work
The Microsoft baselines for Windows are now incredibly mature, shutting off the dangerous features almost universally without any impact.
That took a decade of work
There are various seems-obvious security hardening settings in Windows. One of my favorites is, “Restrictions for Unauthenticated RPC Clients.”
I mean, you shouldn’t blindly accept unauthenticated connections. Security 101. Kerberos gives you seamless authentication. Turn it off
I mean, you shouldn’t blindly accept unauthenticated connections. Security 101. Kerberos gives you seamless authentication. Turn it off
With that one setting, abstractly explained in the description of what it does, you have very likely broken your domain so bad you can’t even issue updates to fix it because they can’t communicate for new updates anymore.
You tried to do the right thing, and did the wrong one.
You tried to do the right thing, and did the wrong one.
You are in an incredibly asymmetrical position. You have changed something that by definition the relying party almost certainly can’t understand.
You have broken the contract.
Skills required to diagnose the problems caused by this are just enormous. https://blog.mamc-llc.com/2019/04/25/netlogon-errors-due-to-rpc-mismatch-between-windows-clients-and-domain-controllers/
You have broken the contract.
Skills required to diagnose the problems caused by this are just enormous. https://blog.mamc-llc.com/2019/04/25/netlogon-errors-due-to-rpc-mismatch-between-windows-clients-and-domain-controllers/
There are two documents about IT security I hold as the most important artifacts in my profession. One is historical. And one is advice won hard by the experience of people trying to do the right thing.
The Trustworthy Computing Memo by Bill Gates reoriented Microsoft forever.
The Trustworthy Computing Memo by Bill Gates reoriented Microsoft forever.
The second is the blog post “Sticking with Well-Known and Proven Solutions” by @AaronMargosis.
https://docs.microsoft.com/en-us/archive/blogs/fdcc/sticking-with-well-known-and-proven-solutions
I was 3 years into my career when this came out. It has shaped everything about what I do.
Aaron would later take over the security baselines for Windows.
https://docs.microsoft.com/en-us/archive/blogs/fdcc/sticking-with-well-known-and-proven-solutions
I was 3 years into my career when this came out. It has shaped everything about what I do.
Aaron would later take over the security baselines for Windows.
Guided by it, I would enter an environment with 20 years of well-intentioned, but stricting config changes. Ones so old nobody even knew the reasons anymore.
My job is to understand Windows at the level required to now undo them.
And I think about that post Every. Fucking. Day.
My job is to understand Windows at the level required to now undo them.
And I think about that post Every. Fucking. Day.
I have the experience and skill to make novel changes to Windows to better secure it. For example, adding Execute [DENY]INTERACTIVE to MpCmdRun.exe to stop attackers dumping Defender. Under my monitoring, it would likely work well. But I am not forever. I am not 20 years later.
This was an obvious problem, so obvious I as a customer recognized it. Microsoft would later add a setting to Defender called Anti-Tampering to do the same thing, but in a supported fashion.
I would have created configuration risk myself instead of demanding the vendor fix it.
I would have created configuration risk myself instead of demanding the vendor fix it.
